CN105099825B - A kind of safeguard method and device of external Bypass - Google Patents

A kind of safeguard method and device of external Bypass Download PDF

Info

Publication number
CN105099825B
CN105099825B CN201510505253.9A CN201510505253A CN105099825B CN 105099825 B CN105099825 B CN 105099825B CN 201510505253 A CN201510505253 A CN 201510505253A CN 105099825 B CN105099825 B CN 105099825B
Authority
CN
China
Prior art keywords
primary circuit
safety guard
extension wire
boundary port
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510505253.9A
Other languages
Chinese (zh)
Other versions
CN105099825A (en
Inventor
黄发
刘慧兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201510505253.9A priority Critical patent/CN105099825B/en
Publication of CN105099825A publication Critical patent/CN105099825A/en
Application granted granted Critical
Publication of CN105099825B publication Critical patent/CN105099825B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The invention discloses a kind of safeguard method and device of external Bypass, forced when network main line failure or the artificial risk for causing network service to be interrupted when being switched to main line with reducing.This method is, when detecting the IPS equipment faults on primary circuit, by current network from primary circuit switching to extension wire, periodically connectivity testing message is sent to primary circuit detect whether primary circuit restores normal, detect primary circuit as after normally in duration in continuous set, current network is switched to primary circuit from extension wire, not only solve in this way IPS equipment port failure or machine failure by switching the problem of external bypass is protected to extension wire, it also solves simultaneously and closes primary line work port after being switched to extension wire, it is forcing or artificial network service is being caused to there are problems that being interrupted risk when switching back to primary circuit.

Description

A kind of safeguard method and device of external Bypass
Technical field
The present invention relates to network safety filed more particularly to a kind of safeguard method and devices of external Bypass.
Background technology
As network application is more and more extensive, also more and more, network security the problem of in terms of the network security that exposes Detection product is also more and more deployed in existing network, increases a node, it is meant that the steady of existing network A risk of qualitative increase, in order to reduce influence of the safety detection product itself catastrophic failure to network, the prior art is to pass through Increase bypass functionality (Bypass) interchanger and safety product is together to form a set of protection scheme, when on network main line Intrusion Prevention System (Intrusion Prevention System, IPS) interface or machine failure when by external Bypass is switched to extension wire to be protected to network.
But after being switched to extension wire in the prior art, the primary line work port (down) can be closed, it cannot be to original Primary circuit is measured in real time, and can cause forcing or artificial when switching back to main line by extension wire in this way, not Whether clear primary circuit is normal, causes network service when network switchback main line to there is the serious risk being interrupted, influences net The completion of network business.
Invention content
The object of the present invention is to provide a kind of safeguard method and devices of external Bypass, work as network main line to reduce It is forced when the failure of road or artificial leads to the risk that network service is interrupted when being switched to main line.
The purpose of the present invention is what is be achieved through the following technical solutions:
A kind of method for security protection of external Bypass, including:
When detecting the Intrusion Prevention System IPS equipment faults on primary circuit, by current network from the primary line Road is switched to extension wire;
Periodically connectivity testing message is sent to the primary circuit detect whether the primary circuit restores normal, It is continuous set detected in duration the primary circuit be normally after, current network is switched to from the extension wire described in Primary circuit.
It is outer by switching that the port failure of security detection equipment in the prior art or machine failure are not only solved in this way Set the problem of bypass is protected to extension wire, at the same also solve be switched to extension wire in the prior art after close master With line work port, primary circuit is not measured in real time, is being forced or artificial when switching back to primary circuit, not Whether clear primary circuit is normal, and causes to there are problems that being interrupted risk when network service switchback main line.
Optionally, further comprise:
In the stage of pre-configuration, primary circuit and extension wire between first network equipment and second network equipment are configured, Wherein,
Using the primary circuit, can by first network equipment the first boundary end through safety guard successively Mouth, the first non-boundary port of safety guard, IPS equipment, the second boundary port of safety guard, safeguard protection dress The third boundary port set sends service message to second network equipment;
Using the extension wire, can by the first network equipment the first boundary through safety guard successively Port, safety guard third boundary port to second network equipment send service message;
Wherein, connectivity testing message can be sent and responded by the boundary port, pass through the non-boundary port It being capable of direct connectivity testing message described in transparent transmission.
Optionally, when detecting the IPS equipment faults on primary circuit, by current network from the primary circuit switching To extension wire, specifically include:
When the heartbeat detection message that the IPS equipment on primary circuit is sent cannot be received by preset condition, master is determined With the IPS equipment faults on circuit, by the way that the third boundary port of safety guard is connected to the of safety guard One boundary port is by current network from the primary circuit switching to extension wire.
Optionally, current network is further comprised after the primary circuit switching to extension wire:
The heartbeat detection message that the IPS equipment is sent is received, it is pre- to determine that the heartbeat detection message received meets If when condition, periodically sending connectivity testing message to the primary circuit.
Optionally, periodically connectivity testing message is sent to the primary circuit detect whether the primary circuit restores Normally, it specifically includes:
Periodically through the first boundary port of safety guard on the primary circuit safety guard One non-boundary port sends connectivity testing message, judges whether the first boundary port of safety guard can receive peace The connectivity response of the second boundary port feedback of full protection device, if so, determining that the primary circuit restores normal;It is no Then, determine that the primary circuit does not restore normal.
Optionally, the primary circuit is detected in duration as after normally in continuous set, by current network from described Extension wire is switched to the primary circuit, specifically includes:
The primary circuit is detected in duration as after normally in continuous set, by by the third of safety guard Current network is switched to the master by the second boundary port that boundary port is connected to safety guard from the extension wire With circuit, and stop sending connectivity testing message to the primary circuit.
A kind of safety guard of external Bypass, including:
Control unit, when for detecting the Intrusion Prevention System IPS equipment faults on primary circuit, notifier processes unit By current network from the primary circuit switching to extension wire;
Described control unit is additionally operable to periodically described primary to the primary circuit transmission connectivity testing message detection Whether circuit restores normal, it is continuous set detected in duration the primary circuit be normally after, notify the processing singly Current network is switched to the primary circuit by member from the extension wire.
It is outer by switching that the port failure of security detection equipment in the prior art or machine failure are not only solved in this way Set the problem of bypass is protected to extension wire, at the same also solve be switched to extension wire in the prior art after close master With line work port, primary circuit is not measured in real time, is being forced or artificial when switching back to primary circuit, not Whether clear primary circuit is normal, and causes to there are problems that being interrupted risk when network service switchback main line.
Optionally, described control unit is further used for:
In the stage of pre-configuration, primary circuit and extension wire between first network equipment and second network equipment are configured, Wherein,
Using the primary circuit, can by first network equipment the first boundary end through safety guard successively Mouth, the first non-boundary port of safety guard, IPS equipment, the second boundary port of safety guard, safeguard protection dress The third boundary port set sends service message to second network equipment;
Using the extension wire, can by the first network equipment the first boundary through safety guard successively Port, safety guard third boundary port to second network equipment send service message;
Wherein, described control unit can send by the boundary port and respond connectivity testing message, pass through institute Stating non-boundary port being capable of direct connectivity testing message described in transparent transmission.
Optionally, when detecting the IPS equipment faults on primary circuit, by current network from the primary circuit switching to When extension wire, the processing unit is specifically used for:
When described control unit cannot be received the heartbeat detection report of the transmission of the IPS equipment on primary circuit by preset condition Wen Shi, determines the IPS equipment faults on primary circuit, and the processing unit is by by the third boundary port of safety guard The first boundary port of safety guard is connected to by current network from the primary circuit switching to extension wire.
Optionally, by current network after the primary circuit switching to extension wire, described control unit is further For:
The heartbeat detection message that the IPS equipment is sent is received, it is pre- to determine that the heartbeat detection message received meets If when condition, periodically sending connectivity testing message to the primary circuit.
Optionally, periodically connectivity testing message is sent to the primary circuit detect whether the primary circuit restores When normal, described control unit is specifically used for:
Periodically through the first boundary port of safety guard on the primary circuit safety guard One non-boundary port sends connectivity testing message, judges whether the first boundary port of safety guard can receive peace The connectivity response of the second boundary port feedback of full protection device, if so, determining that the primary circuit restores normal;It is no Then, determine that the primary circuit does not restore normal.
Optionally, set described control unit in duration continuous and detect the primary circuit as that after normally, will work as When preceding network is switched to the primary circuit from the extension wire, the processing unit is specifically used for:
Set described control unit in duration continuous and detect the primary circuit as after normally, the processing unit By the third boundary port of safety guard is connected to the second boundary port of safety guard by current network from The extension wire is switched to the primary circuit, and described control unit is enabled to stop sending detection of connectivity to the primary circuit Message.
Description of the drawings
Fig. 1 is the method for security protection flow diagram of external Bypass in the embodiment of the present invention;
Fig. 2 is the connection diagram of safety guard and each LA Management Room in the embodiment of the present invention;
Fig. 3 A are the primary connection schematic diagram of first network equipment and the second LA Management Room in the embodiment of the present invention;
Fig. 3 B are the extension wire connection diagram of first network equipment and the second LA Management Room in the embodiment of the present invention;
Fig. 4 is in the embodiment of the present invention from primary circuit switching to the flow diagram of extension wire;
Fig. 5 is the flow diagram for being switched to primary circuit in the embodiment of the present invention from extension wire;
Fig. 6 is the safety guard structural schematic diagram of external Bypass in the embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, is not whole embodiment.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
For these shortcoming and defect of the prior art, the present invention not only solve safety guard in the prior art or The port failure or machine failure of equipment are also solved by switching the problem of external bypass is protected to extension wire It has determined after being switched to extension wire in the prior art, has closed primary line work port, primary circuit is not measured in real time, It forces or artificial when switching back to main line, due to not knowing whether primary circuit is normal, and leads to network service switchback There are problems that the risk being interrupted when main line.
As shown in fig.1, the embodiment of the present invention provides a kind of method for security protection of external Bypass, detailed process is such as Under:
Step 100:When detecting the IPS equipment faults on primary circuit, by current network from primary circuit switching to Extension wire.
Further, in the stage of pre-configuration, configure primary circuit between first network equipment and second network equipment and Extension wire, wherein primary circuit is by first network equipment followed by the first boundary port of safety guard, safety First non-boundary port of protective device, IPS equipment, the second boundary port of safety guard, safety guard Three boundary ports send service message to second network equipment, and extension wire is by first network equipment followed by safeguard protection First boundary port of device, the third boundary port of safety guard send service message, boundary to second network equipment Port is used for the above-mentioned connectivity testing message of direct transparent transmission for sending and responding connectivity testing message, non-boundary port.
Illustrate the connection diagram of safety guard and each LA Management Room by taking Fig. 2 as an example below, wherein safety is protected First boundary port of protection unit is Port2, the first non-boundary port is Port3, the second boundary port is Port6, third side Boundary port is Port7, and IPS equipment is respectively Port4 and Port5 including two ports, and the port of first network equipment is The port of Port1, second network equipment are Port8, it follows that primary between first network equipment and second network equipment The path of circuit A is:Port1 → port2 → port3 → port4 → port5 → port6 → port7 → port8 can specifically join It reads shown in Fig. 3 A, at this point, Port2 is toward sending service message in contact 4 and port3 phase connecting lines.Extension wire B path is such as: Port1 → port2 → port7 → port8 is specifically seen shown in Fig. 3 B, and port2 is directly past at this time passes through contact 3 and port7 Send business in phase connecting lines, Port2 is toward sending connectivity testing message on the circuit being connected with port3 by contact 4.This Outside, 4 contacts of port2 are to be fixedly connected with port3, will not be influenced by master spare circuit switching, and master spare circuit switching directly passes through Controller switches are completed, and controller includes control unit and processing unit.Control unit, according to whether receiving opposite end (i.e. IPS Equipment) heartbeat message that sends over, notifier processes unit completes corresponding action.Processing unit, it is single according to control is received Action command under member, completes corresponding action.
Specifically, when detecting the IPS equipment faults on primary circuit, by current network from primary circuit switching to standby With circuit, detailed process is:When the heartbeat detection message that cannot receive the IPS equipment transmission on primary circuit by preset condition When, the IPS equipment faults on primary circuit are determined, by the way that the third boundary port of safety guard is connected to safeguard protection First boundary port of device is by current network from primary circuit switching to extension wire.
For example, the external IPS equipment delay machine of A or interface port4, port5 closing or failure in primary circuit shown in Fig. 2 Afterwards, stop sending heartbeat message toward heartbeat, at this point, the control unit of the controller of safety guard does not receive opposite end (i.e. IPS equipment) heartbeat message message, then it is assumed that IPS equipment faults, when detecting the IPS equipment faults on primary circuit, It completes from primary circuit A 1 contact by the switch contact of safety guard port7 from 2 contact change-overs of port6 to port2 It is switched to extension wire B.Specifically, the flow from primary circuit switching to extension wire is seen shown in Fig. 4.
S401:It detects whether that the heartbeat detection message that IPS equipment is sent can be received by preset condition, if cannot be by default Condition receives the heartbeat detection message of IPS equipment transmission, then executes S402 downwards;Otherwise it remains unchanged, continues in primary circuit Work.
S402:The control unit of controller, control unit notifier processes unit is reported to complete primary circuit A to extension wire The switching of B, i.e., by the switch contact of safety guard port7 from 2 contact change-overs of port6 to 1 contact of port2.
S403:Extension wire B is worked in, port2 is directly by contact 3 toward sending on the circuit B being connected with port7 at this time Service message, and connectivity testing message is sent to primary circuit A, i.e., by boundary port port2 start toward contact 4 with Primary circuit A connected port3 sends connectivity testing message.
Step 101:Periodically connectivity testing message is sent to primary circuit detect whether primary circuit restores normal, Continuous set detects primary circuit as after normally, current network is switched to primary circuit from extension wire in duration.
Wherein, the sending cycle of connectivity testing message can be done suitably according to the equipment performance situation of safety guard Adjustment, it is proposed that detection cycle is 1S/ times.
Further, by current network after the primary circuit switching to extension wire, the IPS equipment hair is received The heartbeat detection message sent just can be periodically to primary circuit when determining that the heartbeat detection message received meets preset condition Send connectivity testing message.
Specifically, periodically sending connectivity testing message to primary circuit detects whether primary circuit restores normal, have Body process is:Periodically through the first boundary port of safety guard on primary circuit safety guard it is first non- Boundary port sends connectivity testing message, judges whether the first boundary port of safety guard can receive safe guarantor The connectivity response of the second boundary port feedback of protection unit, if so, determining that primary circuit restores normal;Otherwise, it determines main Do not restored with circuit normal.
Specifically, detect primary circuit in duration as after normally in continuous set, by current network from extension wire It is switched to primary circuit, detailed process is:Primary circuit is detected in duration as after normally in continuous set, by will be safe The second boundary port that the third boundary port of protective device is connected to safety guard is cut by current network from extension wire Primary circuit is changed to, and stops sending connectivity testing message to the primary circuit.
For example, after the heartbeat detection message of IPS equipment transmission can be received as expected, by boundary port port2 toward primary Circuit A sends connectivity testing message, and non-boundary port port3 does not make any response after receiving the connectivity testing message, directly Switch through the port4 for sending out the message to IPS equipment, and boundary port port6 is received and is sent to the company of oneself from the port5 of IPS equipment After general character detection messages, a response message can be immediately returned to.If boundary port port2 receives the connectivity of port6 returns After detecting response message, it will be considered that primary circuit A is recovered normal;If the detection in continuously setting duration (it is recommended that 5S) It is all normal to the primary circuit A, then it is assumed that can then to report the control list of controller from the primary circuit A of extension wire B switchbacks Member, control unit notifier processes unit completes switch from extension wire B to the switching of primary circuit A, and stops to primary line Road A sends connectivity testing message.If boundary port port2 can not receive the response message of port6 returns, then it is assumed that primary line Road A does not restore normal also, continues to operate on extension wire B, specifically, the flow for being switched to primary circuit from extension wire can Shown in Fig. 5.
S501:When acquiescence power-off, it is operated in extension wire B, after the power is turned on, into wait state, prepares to receive opposite end (i.e. IPS equipment) heartbeat message that sends over
S502:It detects whether that the heartbeat detection message that opposite end sends over can be received on schedule, if opposite end can be received on schedule The heartbeat detection message sended over then executes downwards S503, otherwise returns to S501;
S503:It is opened to primary circuit A by boundary port port2 and sends connectivity testing message, and executed downwards S504;
S504:Judge whether boundary port port2 can receive the company that another boundary port port6 is returned as expected The general character detects response message, executes S505 downwards if receiving, otherwise returns to S503;
S505:The control unit of controller, control unit notifier processes unit is reported to complete extension wire B to primary circuit The action of A switches, i.e., by the switch contact of safety guard port7 from 1 contact change-over of port2 to 2 contacts of port6, And S506 is executed downwards;
S506:Primary circuit A is worked in, is sent out on the main line A being directly connected at this time toward contact 4 with port3 by port2 Service message is sent, and stops sending connectivity testing message to primary circuit A.
Based on the above-mentioned technical proposal, as shown in fig.6, the embodiment of the present invention also provides a kind of safety guarantor of external Bypass Protection unit, including:Control unit 60 and processing unit 61, wherein:
Control unit 60, when for detecting the Intrusion Prevention System IPS equipment faults on primary circuit, notifier processes list Member 61 is by current network from the primary circuit switching to extension wire;
Described control unit 60 is additionally operable to periodically send the connectivity testing message detection master to the primary circuit Whether restore normal with circuit, detects the primary circuit after normally, to notify the processing in duration in continuous set Current network is switched to the primary circuit by unit 61 from the extension wire.
Optionally, described control unit 60 is further used for:
In the stage of pre-configuration, primary circuit and extension wire between first network equipment and second network equipment are configured, Wherein,
Using the primary circuit, can by first network equipment the first boundary end through safety guard successively Mouth, the first non-boundary port of safety guard, IPS equipment, the second boundary port of safety guard, safeguard protection dress The third boundary port set sends service message to second network equipment;
Using the extension wire, can by the first network equipment the first boundary through safety guard successively Port, safety guard third boundary port to second network equipment send service message;
Wherein, described control unit 60 can send by the boundary port and respond connectivity testing message, pass through The non-boundary port being capable of direct connectivity testing message described in transparent transmission.
Optionally, when detecting the IPS equipment faults on primary circuit, by current network from the primary circuit switching to When extension wire, the processing unit 61 is specifically used for:
When described control unit 60 cannot be received the heartbeat detection of the transmission of the IPS equipment on primary circuit by preset condition When message, the IPS equipment faults on primary circuit are determined, the processing unit 61 is by by the third boundary of safety guard Port is connected to the first boundary port of safety guard by current network from the primary circuit switching to extension wire.
Optionally, by current network after the primary circuit switching to extension wire, described control unit 60 into one Step is used for:
The heartbeat detection message that the IPS equipment is sent is received, it is pre- to determine that the heartbeat detection message received meets If when condition, periodically sending connectivity testing message to the primary circuit.
Optionally, periodically connectivity testing message is sent to the primary circuit detect whether the primary circuit restores When normal, described control unit 60 is specifically used for:
Periodically through the first boundary port of safety guard on the primary circuit safety guard One non-boundary port sends connectivity testing message, judges whether the first boundary port of safety guard can receive peace The connectivity response of the second boundary port feedback of full protection device, if so, determining that the primary circuit restores normal;It is no Then, determine that the primary circuit does not restore normal.
Optionally, it is continuous set described control unit 60 in duration detect the primary circuit be normally after, general When current network is switched to the primary circuit from the extension wire, the processing unit 61 is specifically used for:
It is continuous set described control unit 60 in duration detect the primary circuit be normally after, the processing is singly The third boundary port of safety guard by being connected to the second boundary port of safety guard by current net by member 61 Network is switched to the primary circuit from the extension wire, and described control unit 60 is enabled to stop sending connection to the primary circuit Property detection messages.
In conclusion in the embodiment of the present invention when detecting the IPS equipment faults on primary circuit, by current network from Primary circuit switching periodically sends connectivity testing message to primary circuit and detects whether primary circuit restores to extension wire Normally, primary circuit is detected in duration as after normally, current network is switched to from extension wire primary in continuous set It is external by switching to not only solve the port failure of security detection equipment in the prior art or machine failure in this way for circuit The problem of bypass is protected to extension wire, at the same also solve be switched to extension wire in the prior art after close it is primary Line work port is not measured in real time primary circuit, is forcing or artificial when switching back to primary circuit and unclear Whether the primary circuit of Chu is normal, and causes to there are problems that being interrupted risk when network service switchback main line.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out the embodiment of the present invention various modification and variations without departing from this hair The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention And its within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.

Claims (10)

1. a kind of method for security protection of external bypass functionality Bypass, which is characterized in that including:
When detecting the Intrusion Prevention System IPS equipment faults on primary circuit, current network is cut from the primary circuit Change to extension wire;
Periodically connectivity testing message is sent to the primary circuit and detect whether the primary circuit restores normal, continuous Set and detect the primary circuit in duration as after normal, current network is switched to from the extension wire described primary Circuit;
Wherein, in the stage of pre-configuration, primary circuit and extension wire between first network equipment and second network equipment are configured, Wherein, using the primary circuit, can by first network equipment the first boundary port through safety guard, peace successively First non-boundary port of full protection device, IPS equipment, the second boundary port of safety guard, safety guard Third boundary port sends service message to second network equipment;Using the extension wire, the first network can be passed through The third boundary port of equipment the first boundary port through safety guard, safety guard successively is to second network Equipment sends service message;Wherein, connectivity testing message can be sent and responded by the boundary port, by described non- Boundary port being capable of direct connectivity testing message described in transparent transmission.
2. the method as described in claim 1, which is characterized in that when detecting the IPS equipment faults on primary circuit, will work as Preceding network is specifically included from the primary circuit switching to extension wire:
When the heartbeat detection message that the IPS equipment on primary circuit is sent cannot be received by preset condition, primary line is determined The IPS equipment faults of road, by the first side that the third boundary port of safety guard is connected to safety guard Boundary port is by current network from the primary circuit switching to extension wire.
3. the method as described in claim 1, which is characterized in that by current network from the primary circuit switching to extension wire Later, further comprise:
The heartbeat detection message that the IPS equipment is sent is received, determines that the heartbeat detection message received meets default item When part, periodically connectivity testing message is sent to the primary circuit.
4. method as claimed in claim 1 or 2, which is characterized in that periodically send detection of connectivity to the primary circuit Whether primary circuit described in packet check restores normal, specifically includes:
Periodically through the first boundary port of safety guard on the primary circuit safety guard it is first non- Boundary port sends connectivity testing message, judges whether the first boundary port of safety guard can receive safe guarantor The connectivity response of the second boundary port feedback of protection unit, if so, determining that the primary circuit restores normal;Otherwise, really The fixed primary circuit does not restore normal.
5. method as claimed in claim 4, which is characterized in that it is continuous set detected in duration the primary circuit as After normal, current network is switched to the primary circuit from the extension wire, is specifically included:
The primary circuit is detected in duration as after normally in continuous set, by by the third boundary of safety guard Current network is switched to the primary line by the second boundary port that port is connected to safety guard from the extension wire Road, and stop sending connectivity testing message to the primary circuit.
6. a kind of safety guard of external bypass functionality Bypass, which is characterized in that including:
Control unit, when for detecting the Intrusion Prevention System IPS equipment faults on primary circuit, notifier processes unit will work as Preceding network is from the primary circuit switching to extension wire;
Described control unit is additionally operable to periodically send the connectivity testing message detection primary circuit to the primary circuit Whether restore normal, it is continuous set detected in duration the primary circuit be normally after, notify the processing unit general Current network is switched to the primary circuit from the extension wire;
Described control unit is further used for:
In the stage of pre-configuration, primary circuit and extension wire between first network equipment and second network equipment are configured, wherein
Using the primary circuit, can by first network equipment the first boundary port through safety guard, peace successively First non-boundary port of full protection device, IPS equipment, the second boundary port of safety guard, safety guard Third boundary port sends service message to second network equipment;
Using the extension wire, can by the first network equipment the first boundary end through safety guard successively Mouthful, the third boundary port of safety guard send service message to second network equipment;
Wherein, described control unit can send by the boundary port and respond connectivity testing message, by described non- Boundary port being capable of direct connectivity testing message described in transparent transmission.
7. device as claimed in claim 6, which is characterized in that, will be current when detecting the IPS equipment faults on primary circuit When network is from the primary circuit switching to extension wire, the processing unit is specifically used for:
When described control unit cannot be received the heartbeat detection message of the transmission of the IPS equipment on primary circuit by preset condition When, determine the IPS equipment faults on primary circuit, the processing unit is by connecting the third boundary port of safety guard The first boundary port of safety guard is connected to by current network from the primary circuit switching to extension wire.
8. device as claimed in claim 6, which is characterized in that by current network from the primary circuit switching to extension wire Later, described control unit is further used for:
The heartbeat detection message that the IPS equipment is sent is received, determines that the heartbeat detection message received meets default item When part, periodically connectivity testing message is sent to the primary circuit.
9. device as claimed in claims 6 or 7, which is characterized in that periodically send detection of connectivity to the primary circuit When whether primary circuit described in packet check restores normal, described control unit is specifically used for:
Periodically through the first boundary port of safety guard on the primary circuit safety guard it is first non- Boundary port sends connectivity testing message, judges whether the first boundary port of safety guard can receive safe guarantor The connectivity response of the second boundary port feedback of protection unit, if so, determining that the primary circuit restores normal;Otherwise, really The fixed primary circuit does not restore normal.
10. device as claimed in claim 9, which is characterized in that described control unit detects in continuously setting duration After the primary circuit is normal, when current network is switched to the primary circuit from the extension wire, the processing is single Member is specifically used for:
Set described control unit in duration continuous and detect the primary circuit as after normally, the processing unit passes through The third boundary port of safety guard is connected to the second boundary port of safety guard by current network from described Extension wire is switched to the primary circuit, and described control unit is enabled to stop sending detection of connectivity report to the primary circuit Text.
CN201510505253.9A 2015-08-17 2015-08-17 A kind of safeguard method and device of external Bypass Active CN105099825B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510505253.9A CN105099825B (en) 2015-08-17 2015-08-17 A kind of safeguard method and device of external Bypass

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510505253.9A CN105099825B (en) 2015-08-17 2015-08-17 A kind of safeguard method and device of external Bypass

Publications (2)

Publication Number Publication Date
CN105099825A CN105099825A (en) 2015-11-25
CN105099825B true CN105099825B (en) 2018-10-02

Family

ID=54579436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510505253.9A Active CN105099825B (en) 2015-08-17 2015-08-17 A kind of safeguard method and device of external Bypass

Country Status (1)

Country Link
CN (1) CN105099825B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924044B (en) * 2018-06-22 2020-12-11 迈普通信技术股份有限公司 Link maintenance method, PE device and readable storage medium
CN109039825B (en) * 2018-08-30 2021-12-21 湖北微源卓越科技有限公司 Network data protection device and method
CN109862042A (en) * 2019-03-27 2019-06-07 泰萍科技(杭州)有限公司 A kind of isomeric network security reinforcement means and device
CN110535860A (en) * 2019-08-30 2019-12-03 杭州迪普信息技术有限公司 The method and Network Security Device of flow are blocked when a kind of Network Security Device is restarted
CN111277567B (en) * 2020-01-09 2022-10-25 奇安信科技集团股份有限公司 Intrusion prevention processing method and device
CN112887016B (en) * 2021-01-29 2022-07-12 中国人民解放军战略支援部队信息工程大学 Service main and standby processing device and method for ATCA system scene

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5825850A (en) * 1996-10-02 1998-10-20 Time Warner Entertainment Co. L.P. Automatic bypass switch for signal conductor
CN101296064A (en) * 2008-06-18 2008-10-29 杭州华三通信技术有限公司 Bypass switching method, system and bypass equipment
CN103209099A (en) * 2013-05-03 2013-07-17 广州市成格信息技术有限公司 Automatic switching protection method for network communication circuit between nodes
CN104601362A (en) * 2014-12-02 2015-05-06 重庆晴彩科技有限公司 Network physical link switching heartbeat signal detection method
CN104796329A (en) * 2014-01-16 2015-07-22 中国移动通信集团北京有限公司 Automatic link switching method and automatic link switching device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5825850A (en) * 1996-10-02 1998-10-20 Time Warner Entertainment Co. L.P. Automatic bypass switch for signal conductor
CN101296064A (en) * 2008-06-18 2008-10-29 杭州华三通信技术有限公司 Bypass switching method, system and bypass equipment
CN103209099A (en) * 2013-05-03 2013-07-17 广州市成格信息技术有限公司 Automatic switching protection method for network communication circuit between nodes
CN104796329A (en) * 2014-01-16 2015-07-22 中国移动通信集团北京有限公司 Automatic link switching method and automatic link switching device
CN104601362A (en) * 2014-12-02 2015-05-06 重庆晴彩科技有限公司 Network physical link switching heartbeat signal detection method

Also Published As

Publication number Publication date
CN105099825A (en) 2015-11-25

Similar Documents

Publication Publication Date Title
CN105099825B (en) A kind of safeguard method and device of external Bypass
CN103298012B (en) A kind of AP fault detection method and equipment
CN107735784A (en) Communication link fails detection in software defined network
CN106789264B (en) A kind of method and apparatus that link aggregation group channel is switched fast
CN105049348B (en) Relay system and exchange apparatus
CN103812675A (en) Method and system for realizing allopatric disaster recovery switching of service delivery platform
CN105516292A (en) Hot standby method of cloud platform of intelligent substation
CN104518936B (en) Link dynamic aggregation method and apparatus
CN109218107A (en) Link switch-over method, device, the network equipment and network system
CN105379201A (en) Path switching method and device
CN103730951A (en) Power management system and method
CN105024798A (en) Method and device for time synchronization
CN107872370A (en) A kind of Ethernet interface loop quick determination method
CN103916226A (en) Redundant backup method based on embedded equipment
CN109921942A (en) Cloud platform method for handover control, device, system and electronic equipment
CN105530115A (en) Method and device for realizing operation management and maintenance function
CN105991315A (en) Link protection method applied to SDN (software defined network), switching device and network controller
EP2858302A1 (en) Connectivity check method of service stream link, related apparatus and system
US9521091B2 (en) Relay system and switching device
CN107948000B (en) Method, device and system for switching main channel and standby channel
CN110417761A (en) Communication means and device based on dual-computer redundancy
CN104038355B (en) A kind of communication equipment and its main and standby rearranging method
CN106093683A (en) Heater broken wire detection system and wire break detection method
US8631174B2 (en) Systems, methods, and apparatus for facilitating communications between an external controller and fieldbus devices
CN106534399B (en) The detection method and device of VSM division

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.